On behalf of my client Red Alert Labs, I have been participating in meetings of the Industry IoT Consortium (formerly known as the Industrial Internet Consortium). Since Red Alert Labs specializes in IoT security regulation, Roland Atoui, the president of RAL, and I volunteered to present on the state of IoT cyber regulation in the EU and the US, at meetings of the IIC Security Working Group. Both of our presentations are available on YouTube.
While there are no current cyber regulations for IoT devices in the US, Executive Order 14028 last May required NIST to develop a “device labeling program” for “consumer” IoT devices, which I discussed. I did my presentation in early December, a couple weeks before NIST released preliminary guidelines for the labeling program (their final guidelines are due on February 6, along with their final guidelines for SBOMs and other items addressed in Section 4(e) of the EO). You can view it here (my presentation runs for about 20 minutes, which was followed by another 20 minutes of really good Q&A).
Since NIST hadn’t given any clue to what they were considering for the program at the time, I was optimistic that it would be what I considered a good program – risk-based and mostly focused on educating the consumer about steps they could take in order to mitigate the risks, rather than giving an up-or-down judgment on whether the device was “secure” or not. My presentation reflects that opinion.
However, when NIST came out with their preliminary guidelines for the IoT device labeling program, I was quite disappointed. They wanted to have a risk-based program, but they also wanted to have an up-or-down label. You can’t have it both ways. Fortunately, those were just preliminary guidelines, and I’m optimistic that what NIST comes out with on the 6th will be better.
Roland presented early in January, along with Isaac Dangana of Red Alert. They discussed the European Cybersecurity Act, which came into effect in 2019. This is meant to be the governance framework for all cyber regulation in Europe, although there are a few regulatory schemes in countries like Germany now (as well as in particular industries like 5G); these will all be replaced as equivalent European schemes come into place.
What I find really interesting about the Act is that it doesn’t in itself regulate anything; rather it provides a governance framework for certification schemes that address particular areas of cybersecurity. The schemes are developed by ENISA, the EU Agency for Cyber Security. Two schemes have already been developed: for the Common Criteria and for the cloud. Red Alert was engaged by ENISA to develop guidelines for both of these schemes. Roland expects that ENISA will start work – with industry, of course – on an IoT scheme this year.
To be honest, I never realized there was such a difference between cyber regulation in the US and the EU. I’m not sure how I’d characterize that difference at this point; and since the situation is changing rapidly on both sides of the ocean, I think I’ll wait a while before I form an opinion about who has the better ideas for cyber regulation. Although maybe I’ll decide they both have their strong points and weak points, which is most likely the case.
Any opinions expressed in this blog post are strictly mine and are not necessarily shared by any of the clients of Tom Alrich LLC. Nor are they necessarily shared by CISA’s Software Component Transparency Initiative, for which I volunteer as co-leader of the Energy SBOM Proof of Concept. If you would like to comment on what you have read here, I would love to hear from you. Please email me at email@example.com.